Celebrity Photo Leak Puts Spotlight On The Cloud, And Security

The FBI and Apple are looking into how private photos of Jennifer Lawrence and other celebrities were stolen, in an apparent breach of security that is raising new questions about storing personal information online.

"This is a flagrant violation of privacy," Lawrence's spokeswoman said Sunday, after nude images of the actress and others began to emerge online. Some of the celebrities have denied the photos are of them; others, such as Mary Elizabeth Winstead, say they deleted the images long ago.

Lawrence and Winstead are among dozens of famous women who seem to have been targeted by a systematic hacking job that was announced by a message on the online forum 4Chan on Sunday.

Update at 3:15 p.m. ET: Apple Says Its System Wasn't Breached

Apple released a statement Tuesday saying, "None of the cases we have investigated has resulted from any breach in any of Apple's systems including iCloud or Find my iPhone."

More from the company:

"After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet."

Apple urged "all users to always use a strong password and enable two-step verification," including a link to info about account security.

Our original post continues:

The people behind the scheme say they have more images and video to offer, and as Ars Technica notes, voyeurism wasn't the hackers' only objective: people who said they could provide the images on 4Chan demanded money in exchange, "with one providing a Hotmail address associated with a PayPal account, and another seeking contributions to a Bitcoin wallet."

The hackers are suspected of downloading the images from cloud storage services such as Apple's iCloud, which automatically uploads and stores media files from smartphones and other electronic devices. The thieves were able to access personal accounts by exploiting a security weakness in another Apple service, according to reports by several tech news sites.

"Though it hasn't yet been confirmed that the pictures came from iCloud accounts, reports have speculated that the hackers used a recent tool called iBrute, which can repeatedly try different combinations of passwords on Apple's Find My iPhone service until one of them works. Once Find My iPhone is breached, it is possible to access iCloud passwords and view images and other data stored in a user's iCloud account. Apple had previously allowed an unlimited number of password attempts on the Find My iPhone service, but it has since limited it to five attempts, making the iBrute tool ineffective."

Other questions raised by the stolen photos center on how difficult it is to delete images and video that are stored on the far-flung servers that make up the cloud. In most cases, deleting an image from a device doesn't also delete it from the cloud, which requires a separate step.

And several security experts note that for now at least, most cloud backup systems don't make it easy for users to assign different privacy levels to different files. The safest route, many say, is to disable any automatic cloud services that could store sensitive images or data online — and to remember that you lose control over anything you email or text.

Security experts also say it's dangerous to click on any link that promises to show the leaked celebrity photos, because they've "been put on websites that are loaded with malware," analyst Carmi Levy tells CTV.

The photo leak has renewed some of the discussions of last summer, when it was revealed that government spy agencies could easily access massive amounts of data being held in the cloud by large tech companies.

Those revelations sparked an editorial in The New York Times, in which Vikas Bajaj wrote that many of us have "ceded our privacy" by moving toward cloud-based storage, and "it might be incredibly hard, if not impossible, to regain what we have given up."

To explain his point, Bajaj offered this contrast:

"While moving house recently, I came across a box of letters I had received in high school and college, some more than 20 years old. Other people cannot see those letters unless I let them, a court orders that I divulge their contents or they are physically stolen. But I can't say the same about the nine-year-old messages in my Gmail account. I might think those messages are confidential just as I might hope that my private Facebook posts are, well, private. But in reality they aren't and never were."